Wednesday, 31 January 2007

ORG - eVoting campaign

Happy new year. Sorry it's been a while since my last post, the joys of Christmas and the New Year huh? Well the DCA have revealed which authorities are running pilots this year and the nay-sayers are off!

Looks like the Open Rights Group have teamed up with our friend Mr Kitcat for their opposition to the May 2007 eVoting Pilots.

Unfortunately for them they've let him produce a lot of the materials which has lead to more of the usual nonsense being spouted (from the briefing pack):

"Voting is a uniquely difficult question for computer science: the system must verify your eligability to vote; know whether you have already voted; and allow for audits and recounts. Yet it must always preserve your anonymity 4 and privacy"

As we full know voting in the UK is not anonymous and the only reference to this fact (despite the references to constant anonymous votes) is left until the footnotes at the end of the document. Burying the bad news hey?

"To prevent ballot stuffing, we must mark your vote so that we can be sure it came from a real voter, yet we cannot trace this vote to you personally."

Under judicial oversight we can. You might not like the current law, you may wish to challenge the current law, but the current law is the current law. Either lobby Parliament to change it or live with it. It probably does more to protect you than a completely anonymous vote anyway (ooh there'll be letters on that one).

Anyway, even if we lose the requirement to tie a vote to the voter, we can still tie the vote to the credentials (anonymous of course) that were used to cast the vote. Surely that helps significantly?

"Indeed TV production companies encourage multiple-voting as a way to increase their revenue from each vote cast. For the very enthusiastic fan, software is available on the internet which automates dialing, allowing a single individual to vote hundreds of times."

Say that again into my good ear would you? The point seems to be that IVR channels in elections are bad because people will stuff them... yes those credentials allow you to vote as many times as you want and every vote counts. No really. Little know secret that only us eVoter advocates know about. Watch out for some surprises in May, my diallers are ready, and the extra 10 phone lines have been ordered from BT!

Jason then proceeds to do a lovely bait and switch around postal voting (still haven't had an answer to the question "What's the difference between remote eVoting and postal voting for the purposes of coercion and vote selling?) :

"Nevertheless postal voting’s remote nature opens the way for voter intimidation and manipulation."

but then seems to think that

"Postal voting is still paper-based, so the scale of the fraud possible is limited by the logistics of collecting and moving the ballot papers." & "With e-voting the paper is gone, hence the scale of possible fraud becomes as large as the fraudster’s imagination."

is reasonable mitigation for postal voting and the death for eVoting. Say what? The fraudsters are working at the end points here, they still have to visit the person they're coercing or buying off regardless of whether it's eVoting or postal.

"Furthermore, software fraud can be committed long before an election, by someone far beyond the UK’s legal jurisdiction, thereby making detection and prosecution difficult."

Of course it will because I leave sensitive systems plugged into public networks when they're not needed all the time. Force of habit, my bad. And how does the attacker being outside the country make detection more difficult? There's a valid point around prosecution, but certainly not around detection.

That's enough for now...